If you go back to the history of the open source webmail project, you will find Horde, a groupware web application. First released on FreshMeet in 1998, it gained some notoriety in early 2012 when it was discovered that it had been tampered with by the 3.0 release, and packages with a backdoor were shipped for three months. Although this is not an intentional backdoor at the moment, there is a very serious problem with the Horde webmail interface. Or more precisely, a pair of problems. The most serious is CVE-2022-30287, an RCE bug that allows an authenticated user to trigger code execution on a connected server.
The weakest component is the Turba address book module, which uses a PHP factory method to access a specific address book. The
create() The method contains an interesting bit code, which first checks the initial value. If this is a string, then that value is understood as the name of the local address book to access. However, if the factory starts with an array, any address book driver, including the IMSP driver, can be used. IMSP retrieves serialized data from a remote server and desegregates it. And yes, PHP may have a desegregation bug and it runs code on the host.
But it’s not bad, it’s just a certified user, isn’t it? This is bad enough, but that second bug is triggered by a cross-site request fraud, CSRF, an email visit. So on a weak Horde server, any user who sees a malicious message will trigger RCE on the server. Oops. So let’s talk about the solution. There is a newer version of the Turba module that seems to fix the bugs, but it’s not clear if the actual Horde Suite has pushed an update to include it. So you can be on your own. As mentioned in the gold blog where the weakness was discovered, Hord himself seems to be largely unchanged at the moment. It may be time to consider moving to a new platform.
Weaknesses or features?
Slow-roll continues in the management of Microsoft’s Folina. There is another, similar, problem: Dogwalk. It’s not as bad as Folina, it’s a problem
.diagcab The handling cab can point to an XML file on a remote WebDAV server, and the returned files bypass the usual checks for unauthorized file names. So for example,
\..\..\..\..\..\..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.exe Is made, with predictably catastrophic consequences.
Now, is this a weakness? Okay, on the one hand, it’s a file downloaded from the Internet that the user intentionally opened. On the other hand, it is not an executable and should not run the code arbitrarily. A web browser will happily download and allow a user to run potentially malicious files. It’s not a 10.0, but it does sound like a weakness. Microsoft has refused to issue a CVE, similar to their initial management of Folina, which is still exploiting the 0-day vulnerability in the wild. We can assume that Microsoft has received a national security letter regarding the bug, but this is unlikely to disappear.
Another weakness was not that
Or maybe it’s a weakness. You do it right. Formidable Library is a Node.js library for parsing form data, including file uploads. The weakness is CVE-2022-29622, an arbitrary file upload problem. You can already see the debate there. File Upload Library allows for arbitrary uploads – by design. This is literally a feature of the library. So does the whole weakness report, with a 9.8 score, absolutely bunk? Well, there’s actually a bug – or at least a feature that doesn’t always work as expected.
When you use Formidable to upload a file, it replaces the name with a random hex string. There is an option to keep the file extension, so when uploading
example.txtYou will get a file named
84d38f5e070c248df3cdccc00.txt The problem with the server is how much the file name is considered as an extension. Everything after the first period was counted as an extension, that is, if you upload a file named
test.pdf.jqlnn⟨img src="https://hackaday.com/2022/06/10/this-week-in-security-for-the-horde-feature-not-a-bug-and-confluence/a"⟩.pngYou will get a file named
randomstring.pdf.jqlnn⟨img src="https://hackaday.com/2022/06/10/this-week-in-security-for-the-horde-feature-not-a-bug-and-confluence/a"⟩.png. If you rely on this system to sanitize the name of the uploaded file, you may get an XSS or even RCE for your problem. However, this is not a weakness in formidable.
This is the argument [Zsolt Imre] His analysis of the issue and further defends. The real kicker is that the runaway fix introduced a problem at least as serious as it was trying to fix.
Mating under exploitation
Atlassian’s Confluence has a critical unauthorized RCE that is being exploited in the wild. Researchers broke the story after investigating a pair of compromised servers. Samples of the attack have been caught in various beehives and it looks like a common exploit. Due to the nature of the mating server, this issue is likely to have a follow-on effect, allowing attackers to gain access to developing networks.
Bits and bytes
How scary is it to publish RDP on the internet? For this old Linux hand, SSHD reveals terrible. They made about 40,000 attempts after 4 days, most of them trying for an administrator account. Also interesting was how many attacks were coming from a pair of network blocks, 188.8.131.52/24 and 184.108.40.206/24, both belonging to Flyserver.
The SSNDOB Marketplace has been launched offline for over 10 years This team was probably behind the attack on Brian Krebs. The only downside is that no arrests have been made as part of the takedown.